Hack of Law Enforcement Websites Exposes Personal Information of 700,000 Cops
| Hack of Law Enforcement Websites Exposes Personal Information of 700,000 Cops | |
|---|---|
| Short Title | Hackers Published an Archive Containing Data from 251 Law Enforcement Websites Including Personal Information of 700,000 Police Officers |
| Location | United States |
| Date | June 2020 |
| Solove Harm | Insecurity, Disclosure, Interrogation |
| Information | Identifying, Professional, Authenticating, Contact, Computer Device, Social Network |
| Threat Actors | Unidentified hackers, Law Enforcement |
| Individuals | |
| Affected | Law Enforcement Officers |
| High Risk Groups | Law Enforcement Officer |
| Tangible Harms | |
In June 2020 hackers were able to access and expose a database containing personal information of 700,000 law enforcement agents. The archive contains over 16 million rows of data, including emails, descriptions of alleged crimes, and other detailed personal information.
Description
In June 2020 the transparency collective Distributed Denial of Secrets published 269 gigabytes of law enforcement data on its website and using the peer-to-peer file sharing technology BitTorrent. Their actions can be seen as Interrogation of websites for information.
This archive, containing data from 251 different law enforcement websites, was mostly taken from fusion center websites (which were formed to share intelligence between agencies and prevent future terrorist attacks), some of the hacked websites were for local police departments, police training organizations, members-only associations for cops or retired FBI agents, and law enforcement groups specifically dedicated to investigating organized retail crime, drug trafficking, and working with industry. This is an example of Insecurity.
All of the hacked websites were hosted and built by the firm Netsential on Windows servers located in Houston. They were all running the same custom content management system, developed using Microsoft’s ASP.NET framework in the programming language VBScript, using Microsoft Access databases. Because they all run the same software, if a hacker could find a vulnerability in one of the websites that allowed them to download all the data from it, they could use that vulnerability to hack the rest of the websites without much additional effort. Insecurity
Personal information of 700,000 law enforcement officers was exposed, including a full name, rank, police department or agency, email address, home address, cellphone number, supervisor’s name, rank, and email address, the IP address used to create the account, and a password hash. Disclosure If a user’s password is weak, hackers with access to its hash could crack it to recover the original password, potentially leading to a giant list of all the weak passwords used by U.S. law enforcement.
After the data was published, Twitter has permanently suspended the DDoSecrets Twitter account, Reddit banned the r/blueleaks forum — citing its policy against posting personal information. German authorities have seized a server belonging to DDoSecrets that was hosting BlueLeaks data. BitTorrent as the only way the data is currently being distributed by the organization.
Breakdown
Threat: Law enforcement agencies not protecting websites and internal systems from unauthorised access, making it easier by running the same software and setup in all of them
At-Risk group: Police officers
Harm: Insecurity
Secondary Consequences: not known
Threat: Hackers posting policemen home addresses and names online
At-Risk group: Police officers
Harm: Disclosure
Secondary Consequences: Potentially: Changed behavior
Threat: Hackers probing law enforcement websites for personal information about the policemen
At-Risk group: Police officers
Harm: Interrogation
Secondary Consequences: not known
Laws and Regulations
Sources
https://theintercept.com/2020/07/15/blueleaks-anonymous-ddos-law-enforcement-hack/